Red Hat Single Sign-On Administration

Procedure 4.2. Instructions

1. Log in as the admin user in the RH-SSO Admin Console.

   1. On the workstation machine, use Firefox to navigate to the RH-SSO web UI URL at https://sso.lab.example.com:8080.

   2. Click Administration Console. Log in as the admin user with redhat as the password. By default, the main page shows the Realm Settings menu for the rhtraining realm.

2. Verify the users for the rhtraining realm.

   1. Click Manage → Users.

   2. Click View all users.

   3. Verify only alice is a user in the rhtraining realm.

3. Log in to your Red Hat OpenShift cluster as the admin user with the redhat password. List the users.

   1. Open the terminal application on the workstation machine. Log in to the ocp4.example.com cluster as the admin user.

      [student@workstation ~]$ oc login -u admin -p redhat \
        https://api.ocp4.example.com:6443
      Login successful.
      ...output omitted...

   2. List the users on Red Hat OpenShift.

      [student@workstation ~]$ oc get users
      NAME        UID             FULL NAME   IDENTITIES
      admin       ea966479-...                htpasswd_provider:admin
      developer   9bcedb9c-...                htpasswd_provider:developer

4. Create the Red Hat OpenShift identity provider in RH-SSO.

   Note

   Note that steps 4, 5, and 6 run in parallel. In step 4 you start creating the identity provider in RH-SSO to take note of the redirectURI parameter, but do not save it yet. In step 5 you create the OAuthClient custom resource by using the redirectURI from RH-SSO, and take note of the OAuthClient name and secret. Finally, in step 6 you finish the configuration for the identity provider in RH-SSO by using the name and secret from the OAuthClient.

   1. Change to the RH-SSO Firefox tab. Click Configure → Identity Providers. Select Openshift v4.

   2. Copy the Redirect URI field. Do not click Save yet.

5. Create the rhsso-identity project on Red Hat OpenShift and a OAuthClient custom resource.

   1. Change to the terminal window where you logged in to Red Hat OpenShift. Change to the ~/DO313/labs/identity-broker directory.

      [student@workstation ~]$ cd ~/DO313/labs/identity-broker

   2. Create the rhsso-identity project.

      [student@workstation identity-broker]$ oc new-project rhsso-identity
      Now using project "rhsso-identity" on server "https://api.ocp4.example.com:6443".
      ...output omitted...

   3. Create the ocp-identity.yaml file as follows. The redirectURIs field must be the same one that you copied from RH-SSO. Take note of the name and secret values from the custom resource. Note that the redirectURI line has been split so that it displays correctly in the PDF guide. Do not add the line break in your YAML file.

      kind: OAuthClient
      apiVersion: oauth.openshift.io/v1
      metadata:
        name: ocp-identity
      secret: mysecret
      redirectURIs:
        - "https://sso.lab.example.com:8080/auth/realms/rhtraining/broker/openshift-v4/endpoint"
      grantMethod: prompt

   4. Use the oc command to create the ocp-identity OAuthClient custom resource in the rhsso-identity namespace.

      [student@workstation identity-broker]$ oc create -f \
        ocp-identity.yaml -n rhsso-identity
      oauthclient.oauth.openshift.io/ocp-identity created

6. Complete the identity provider fields on RH-SSO.

   1. Change to the RH-SSO Firefox tab.

   2. Fill the new identity provider parameters as follows.

      Parameter	Value
      Display Name	OpenShift
      Client ID	ocp-identity
      Client Secret	mysecret
      Base URL	https://api.ocp4.example.com:6443

   3. Scroll down and click Save.

7. Run the finance-webapp application and test the Red Hat OpenShift user authentication.

   1. Change to the terminal application and change to the ~/DO313/labs/identity-broker/finance-webapp directory.

      [student@workstation identity-broker]$ cd \
        ~/DO313/labs/identity-broker/finance-webapp

   2. From the terminal, compile and run the application.

      [student@workstation finance-webapp]$ mvn install && \
        java -jar target/quarkus-app/quarkus-run.jar
      ...output omitted...
      2023-01-24 10:42:31,542 INFO  [io.quarkus] (main) finance-webapp 1.0.0-SNAPSHOT on JVM (powered by Quarkus 2.14.2.Final) started in 1.940s. Listening on: http://0.0.0.0:8080
      2023-01-24 10:42:31,544 INFO  [io.quarkus] (main) Profile prod activated.
      2023-01-24 10:42:31,544 INFO  [io.quarkus] (main) Installed features: [cdi, oidc, oidc-client, oidc-token-propagation, qute, reactive-routes, rest-client, rest-client-jackson, resteasy, resteasy-qute, security, servlet, smallrye-context-propagation, smallrye-jwt, vertx]

      Leave the terminal open.

   3. Open a new Firefox tab and navigate to the finance web application URL at http://localhost:8080/finance. Click Show my access token.

   4. Click OpenShift. When prompted, click htpasswd_provider and log in as the developer user with developer as the password.

   5. Click Allow selected permissions. The developer user consents to the Red Hat OpenShift identity provider to give the user information to RH-SSO.

   6. Fill the parameters for the developer user as follows.

      Parameter	Value
      Username	developer
      Email	developer@example.com
      First name	John
      Last name	Doe

   7. Click Submit.

8. Verify the users for the rhtraining realm.

   1. Change to the RH-SSO Firefox tab. Click Manage → Users.

   2. Verify developer is a user in the rhtraining realm. Click the developer user ID.

   3. Change to the Identity Provider Links tab. Verify the developer user identity provider alias is openshift-v4.

9. Close all the Firefox windows. Close the application running in the terminal by pressing Ctrl+C. Change to the /home/student directory.

   [student@workstation finance-webapp]$ cd
   [student@workstation ~]$